Solved

Remote Access to company mail

Posted on 2004-09-13
11
1,234 Views
Last Modified: 2011-09-20
Hello,

I have a problem.  My company has an internal Exchange 2003 Server, running on Windows 2003 SBS.  This Exchange Server downloads mail from our webhost, and therefore does not directly receive mail for our domain.  All mail forwarded to my email address first goes to our webhost, then our Exchange Server get is from there and distributes it accordingly.

I need to get remote access to my mail by the most secure means possible.  We have a current network administrator that is paranoid about publishing internal resources onto the web, yet we NEED to get our mail remotely.

I have done ALOT of reading on this topic, and have decided to use MS ISA Server and Outlook Web Access (OWA) to facilitate access to the internal mail.  That way, we will be able to log on from anywhere with an internet connection, and view our existing archive of mail.

This poses several problems (and questions) however.

Internet Connection - our internet connection is a home user ADSL type plan, with a dynamic IP address.  The DSL line comes into our building and plugs straight into a 4 port DSL modem/router.  Our server is then run off the router, as well as all our client machines.  We do not have any dedicated hardware firewall devices.  We are solely relying on the NAT firewall that is in our router.  We have no DNS name mapped to any internal resources, our webhost host all mail and web content.

What would be the best way to get remote access to our OWA Mail?  I can currently type SERVERNAME\EXCHANGE into internet explorer and get the OWA successfully.  Our next step is to SECURELY publish this to make it accessible to the internet.  Can anyone please give me an idea on wha the best way would be to configure ISA Server to allow secure remote access to the webmail?

Thankyou,

Dean.
0
Comment
Question by:aktivemofo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 16

Accepted Solution

by:
The--Captain earned 100 total points
ID: 12041752
Is there some reason why you cannot just pull your mail from the same place the exchange server gets it via some sort of webmail gateway?  

Hosting externally visible internet services on a dynamic IP is ill-advised, although some folks can't seem to live without it - to that end, folks like those at http://www.dyndns.org/ are there to fill the void.  

>I can currently type SERVERNAME\EXCHANGE into internet explorer and get the OWA successfully

Hmmm - that sounds like something that is unlikely to work outside the LAN - are there any secure webmail clients (ie use https) that you can install on your exchange server?  

Cheers,
-Jon
0
 
LVL 7

Assisted Solution

by:gnegrota
gnegrota earned 100 total points
ID: 12041844
OWA does have the HTTPS access mode, the problem is that this type of connection is unsafe in any case if you are not using a 'real' firewall. The 'best' way is to set a VPN ( con IPSec, for ex.) access in your network and from there to access OWA in HTTPS and firewall all other things . Check your router capabilities about VPN access .
For 'detect' the IP of your connection, use the sug. of The--Captain !
0
 
LVL 5

Assisted Solution

by:ITcrow
ITcrow earned 100 total points
ID: 12041989

Connect using VPN
Outlook Web Access to access emails.

Since your company has dynamic IP address, follow Jon's suggestion and go to
http://www.dyndns.org for a work-around.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Assisted Solution

by:cooledit
cooledit earned 100 total points
ID: 12042029
hi, there

You mentioned remote clients gets a Dynamic IP from the provider ? right.

If you splitted the network into 3 subnets

1 for the internal users
1 for the Excchange server DMZ zone ( I assume it's already there)
1 for the remote users

Internal ACL's have access to all + Exchange server by new route

Remote Users only to smtp port 25 forward it to the IP of the exchange server.
0
 
LVL 13

Assisted Solution

by:hstiles
hstiles earned 100 total points
ID: 12045113
Whatever solution you choose, the more secure you want to make it, the more complex it will probably end up being.

I would prefer a VPN type solution to anything else simply because it would give you the greatest flexibility:

using the VPN approach you could:

set up OWA via VPN.  This would remove the need for SSL encryption
use Outlook as you would in the office just providing the exchange server name
use IMAP and SMTP - although unneccesary if you are VPNing in

Otherwise:

OWA but you would have to protect via SSL and preferably publish using ISA
IMAP over the internet
Outlook via RPC over HTTPS, but this would require a front end Exchange server even if you are using ISAS
0
 

Author Comment

by:aktivemofo
ID: 12049808
Hello,

Thankyou all for your suggestions.

Unfortunately, i could not convince my colleagues to consider a VPN.  It looks like we will have to use ISA Server and publish the resources as needed.

What is the best practice to install an ISA Server?  Does it HAVE to live in the DMZ? And if so, does the ISA Server software protect that actual machine - IE will it act as a desktop firewall for that particular box?  We do not have (and cannot afford) any firewalls.. we pretty much have software only.  If we did resolve to use ISA Server, would the setup be like this:

[INTERNET] --> [ROUTER] --> [ISA SERVER] --> [SWITCH] --> [INTERNAL LAN]

I think that the biggest problem i have is understanding where to put the ISA Server, and how many network cards does it need?  So many of the guides i have read says that you need 2 NICs in the ISA box.. one for internal and one for external?

Once again, any suggestions are welcome.

Thanks in advance.

-DEAN.
0
 
LVL 7

Expert Comment

by:gnegrota
ID: 12051972
The best practice is
                               _____             _______
---LAN(inside)--------/ ISA /----------| Router |----------->( ISP )
                              ^^^^              =====
                                  |
                                  | [dmz]
                               __|___
                             / Server/
                             ---------

In this case, ISA can be used to isolate the servers ( Web, Mail, etc.) , VPN access inside, firewall and filter .
0
 

Expert Comment

by:nishakash
ID: 12232634
Hi:

I have my Exchange server on the DMZ. When I use outllook 2003 , everything works fine.

BUT when I remove my server from DMZ, then outlook does not work and it gives the error message " Exchange server unavailable".

Please can any one help.  I have ports, 80,110,25,3389, 443 and 445 open already on the router.


Thanks
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question